Hacker News new | past | comments | ask | show | jobs | submit login

Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities. [0]

Getting you to browse your computer for 10-20 minutes and then log into your bank account could be enough to gain access to your account.

And 2FA is proven insecure with SIM hijacking. These methods have a high up front time investment but will take even less effort than Mitch's gambit once deployed.

https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf [0]




Do you think a phone call is high enough bitrate for these attacks, or are you implying parabolic microphones could be used to make this happen?

The mentioned paper contains a remark:

> While recording from the third keyboard, we get several seconds of unexpected noise from a cellphone nearby.

But that's the only mention of a phone in the paper ...


I don't think the techniques and technology have become quite refined enough for this to be widely deployed, at most people are simply experimenting with the idea. But people are taking this seriously because it represents quite an attack vector once things fall into place. The thing is we won't know when we've reached that threshold until the first news stories about a widespread phishing scam using the technique emerge.

It seems VoIP will be the first low-hanging fruit: https://arxiv.org/pdf/1609.09359.pdf


> Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities.

Huh, this reminds me that a major US bank verifies people on the phone by asking them to log on to online banking.

I love the convenience, but it's never crossed my mind that it was a huge vulnerability waiting to happen.


It will take a series of high profile hacking incidents to finally wake the public up to the need to develop mitigations. We won't see the problem until it's widespread.


A password manager makes this attack vector useless. The sound of my typing my password on any site is the keyboard shortcut to activate it, my finger silently passing Touch ID, and the "enter" key.


I don't think that method is very reliable for pulling credentials.

Google is one example of companies that asks its GSUITE admins to login to confirm support ticket codes.


You just need to mute the call before authenticating.


Google Voice for 2FA. Some companies still have issues with Google Voice SMS (Paypal, I'm looking at you), but it is preferable.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: